diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2024-01-15 20:55:07 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolan.mcnamara@collabora.com> | 2024-01-20 17:39:21 +0100 |
| commit | 3f9979db2331e9cdf73743cc68a3ce7174ea54fa (patch) | |
| tree | 5edcbdb22a55bd1531883480ec7c4183c0fe6b5e /schema | |
| parent | 908abf0b0e36fd1c6e8d3df48e9c35ce911c9bda (diff) | |
tdf#105844 xmlsecurity: fix test failure on WNT
Commit 4d6e9d5e155da1dde05233eb87691e2a454162f6 added 2 tests that
always fail on WNT, unfortunately Jenkins doesn't actually run the
tests.
There are 3 certificates involved:
"Xmlsecurity RSA Test Root CA"
"Xmlsecurity Intermediate Root CA"
"Xmlsecurity RSA Test example Alice"
In the signature XML, there are 3 elements that contain or reference
certificates:
1. X509Data - xmlsecurity produces only the signing certificate here
2. xd:SigningCertificate (XAdES) - again only the signing certificate
3. xd:EncapsulatedX509Certificate (XAdES) - xmlsecurity produces the
full certificate chain here
All of these elements *could* contain the full certificate chain, but in
LO-produced XML signatures only 3. does.
The problem is that the function CheckUnitTestStore() that looks up
a certificate in a unit-test-specific CA store via
$LIBO_TEST_CRYPTOAPI_PKCS7 can only handle a root certificate, it does
not recursively retrieve and check a certificate chain.
The SecurityEnvironment_MSCryptImpl::verifyCertificate() already has a
parameter "seqCerts" to pass in the full certificate chain, but due to
the way the data from the XML is processed, it gets passed only the
content of the X509Data element(s), which, for LO-produced signatures,
do not contain the full certificate chain.
Instead of improving the unit-test-specific function, let's try to get
all the certificates out of the XML signature, and then pass them to
verifyCertificate().
Of course this requires some consistency checks so that the verification
can't be fooled by different certificates in different XML elements.
Change-Id: I8ca541887ceac2dfb6af5d96a5565cfa58d7f682
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/162170
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 3e9a700091872480dd085f0928d1d30b7d74cfd7)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/162139
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Diffstat (limited to 'schema')
0 files changed, 0 insertions, 0 deletions